General Data Protection Regulation (GDPR) has been four years in the making, and marks the biggest potential impact for businesses in the digital era. It’s vital for all business owners to familiarise themselves fully with the regulations before they become law in May 2018.
Here are some key questions.
Who does it apply to?
Any business targeting EU residents needs to comply with GDPR: even if data processing takes place outside the bloc. The only exempt organisations are law enforcement groups and those dealing with national security.
What are the penalties?
In the UK the maximum penalty for data breaches is currently £500K. GDPR fines will be much higher, with a maximum penalty of €20 million or 4% of annual worldwide gross turnover, whichever is the higher. It is therefore vital to constantly monitor your IT security.
What’s changing for the client?
New consumer rights, such as the right to be “forgotten” and the right to portability, mean big changes for data storage and use. The definition of personal data will expand to include cookies and IP addresses. This provides an opportunity to build trust with customers by going above and beyond. As well as securing their personal data, encrypt any communications you have with them to protect against phishing and other online fraud.
How long do I have to rectify the problem?
Once GDPR is in place you’ll need to be prepared to react. If a customer wants to exercise a right, such as erasure, you must respond within a month. Likewise, if a serious security breach becomes evident it needs to be reported within 72 hours.
What can I use and store?
Consent is more important than ever: it needs to be active (no pre-ticked boxes) and explicit. Data can only be used for purposes that consent is given for, and you can’t bundle consent agreements together. It is also prohibited to withhold service until consent is given. Note that customers can withdraw their consent at any time, and parental consent is required for data regarding children under the age of 13 in the UK.
What about our partners?
Third party suppliers are under similar obligations, so choosing trustworthy companies who have a strong data protection culture and processes to work with is a prime concern. If a person wants to exercise their rights, your third party supplier will need to comply within the same time limits. Remember: customers objecting to their personal data being used in ways they don’t like could bring about both legal ramifications and a severely tarnished reputation.
What are my next steps?
There is much to cover over the next two years. Governance, audits, training, details of why and where personal data is kept, will all be required, as will technical measures like safe storage, encryption and pseudonymisation (personally attributable data held separately to increase privacy).
Also, you should look to get both first and third party cyber insurance cover to help deal with any data breaches should they occur.
Remember nobody can guarantee 100% that you will not suffer a cyber attack.
Should I panic?
The regulation provides a great opportunity to build customer trust and gain competitive advantages in the process. Although GDPR doesn’t come into force until May 2018, working on your personal data protection strategy now may well be the most effective approach. Letting clients know you are working on the regulations should enhance their confidence in you.
The biggest change will be the relationship between business and consumer. As power shifts away from collectors, ‘give and take’ (instead of simply ‘take’) relationships will be intrinsic to getting the data businesses need.
Trust gives customers the confidence to willingly share data while simultaneously increasing affinity to a brand. This takes us closer to ‘one-to-one’ marketing instead of broad targeting and educated guesswork.
Encryption at every level will start to build this trust. Consent is going to be a tough challenge, yet it also represents a huge opportunity. Therefore, it may be wise to start testing ways to ask for consent in a way that customers respond positively to.
With proper security and a bold strategy, those that embrace GDPR in its infancy can leave their competitors behind.
Chorus Business Advisers are now working closely with local solicitors Nicholls Law to assist companies in developing a plan to safeguard their data.
For more information contact Chorus Advisers on 0845 8671263 or email firstname.lastname@example.org or
Nicholls Law on 01702 804134, email email@example.com